New Member

Solved

FortiOS v5.2.4 is out(Unstable GUI, Bad SSLVPN)....

Forum|Forum|10 years ago
July 23, 2015
37 replies
153895 views

a little disappointed..

no enhancements..

it's just a bugs fixed release....

[size="5"]definitely 1 of terrible f/w for FOS...[/size]

UNSTABLE GUI

[size="6"]ANNOYING SSL VPN problem..............[/size]

[size="3"]fortinet, I think you must quickly push out next fixed release or give some explains.........[/size]

201508020844, CSB-150730-1-Partial-Config-Loss

FortiGate models listed below may lose configuration pertaining to IPsec interface, virtual access point interface, loopback interface, or virtual-switch interface after a reboot when the FortiGate is deployed with FortiOS 5.2.4 with build number 0688 and time 150722.

FGT20C3X12000161 # get sys stat

Version: FortiGate-20C v5.2.4,build0688,150722 (GA)

Potentially Affected Products:

FortiGate: FG-20C, FG-20C-ADSL, FG-30D, FG-30D-PoE, FG-40C

FortiWiFi: FW-20C, FW-20C-ADSL, FW-30D, FW-30D-PoE, FW-40C

Resolution:

FortiOS 5.2.4 software images for the models above have been rebuilt and re-posted on the customer support web site with build number 0688 and time 150730.

5.2

Best answer by GusTech

dfollis wrote:
Why does this keep happening? Fortinet makes such great hardware, but they have seriously burned some of us with bad firmware releases. I'm a constant Fortinet advocate, but this kind of **** demonstrates a lack of QC and concern for the customer environment. These type of issues should definitely be exposed by a good QC system and if the firmware has the potential to wipe a config, for godness sakes it should not be released. Those of us who are long time Fortinet customers have learned to be wary of new releases and to always reboot the appliance, take a back up, and wait for others to expose the bugs, but it doesn't need to be that way with the right internal controls at Fortinet. Pick up the slack guys. You make a great product but you are tripping over your own feet when you release builds like this.

Completely agree!! And this is NOT the first time this happens........

Show previous replies

GusTech

New Member

I completely agree that there is a difference between these. But, my point is that these actually deliver good solutions that work... It is not silly to compare, I encounter these questions from my clients all the time! Especially all those self-created problems Fortinet creates by them self.. It's terribly bad of a large "professional" supplier that Fortinet want to be.

When there is so much trouble there is a huge problem. And we should expect that things work better.. We have to defend Fortinet with tooth and nail every single day! Outside these issues, I personally love Fortinet Hardware/FortiOS, and want it to be the best!.

seadave

New Member

BrUz wrote:
I completely agree that there is a difference between these. But, my point is that these actually deliver good solutions that work... It is not silly to compare, I encounter these questions from my clients all the time! Especially all those self-created problems Fortinet creates by them self.. It's terribly bad of a large "professional" supplier that Fortinet want to be.

When there is so much trouble there is a huge problem. And we should expect that things work better.. We have to defend Fortinet with tooth and nail every single day! Outside these issues, I personally love Fortinet Hardware/FortiOS, and want it to be the best!.

Here, here. Even with all of the frustration we are experiencing, I'd still take Fortinet over all due the performance/features/price as compared to everyone else. But that doesn't mean I won't consider a more stable or capable solution if I find it. I never stop looking. I'm loyal but not devout :)

I once had a Cisco team in my office before the Sourcefire purchase, and I asked them why the ASA still didn't have AV capability. Their response was that they didn't think AV was important at the gateway. I almost laughed them out of the office. I've never had a major breach or malware infection in 8 years and AV on the Fortinet is one of the key reasons in my opinion.

Paul_S

New Member

I agree with the comments on quality control lacking. New firmware releases seem to be hit or miss. Good QC should produce consistently stable and good quality firmware releases.

My very first firmware upgrade in 2010 caused 20% of my policies to disappear! I hold my breath during all Foritgate upgrades ever since! Not all, but many of the upgrades since then have left me with the post update dilemma that I am sadly getting used to: do I live with major bug X in the new release or downgrade back to living with major bug Y? I try to weigh risks and choose the one that impacts me the least, but often the choices are horrible.

I accept bugs and an imperfect world, but that does mean I should expect major bugs to slip past beta testing in most releases! Only minor bugs should get past beta testing!

FatalHalt

New Member

Paul S wrote:
Not all, but many of the upgrades since then have left me with the post update dilemma that I am sadly getting used to: do I live with major bug X in the new release or downgrade back to living with major bug Y? I try to weigh risks and choose the one that impacts me the least, but often the choices are horrible.

Exactly. We've internally discussed (but not yet built) a reference sheet for working features. I have a number of diffeent customers, each with specific needs and pain points. Customer X might need SSLVPN, but would also like a few of the features in the 5.2 code, while Customer Y is using Radius, and Customer Z needs to have a read-only admin account for some auditing purposes.

Normally, I would like to just pick one firmware version and stick with it. But inevitably something seems to be amiss in any given release. 5.2.4 is SSLVPN and etc, 5.2.2 was the all service bug (fixable), 5.0.9-11(?) allowed a read only admin to make changes.

emnoc

New Member

Here, here. Even with all of the frustration we are experiencing, I'd still take Fortinet over all due the performance/features/price as compared to everyone else. But that doesn't mean I won't consider a more stable or capable solution if I find it. I never stop looking. I'm loyal but not devout :)

I agreed and have to laugh that 5.2.x has only been out for a year and we are already heart broken. I can only hope that 5.2.5 is better, and 5.3.x is even more better.

Ken

GusTech

New Member

+ Google Chrome is unstable on all devices running 5.2.4.

Jordan_Thompson_FTNT

Staff

BrUz wrote:
+ Google Chrome is unstable on all devices running 5.2.4.

You are likely running into this Google Chrome issue that causes certificate exemptions to be reset:-

https://code.google.com/p/chromium/issues/detail?id=513903

https://code.google.com/p/chromium/issues/detail?id=473390

It is not a FortiOS bug. Using a trusted certificate would solve the problem.

GusTech

New Member

Jordan_Thompson_FTNT wrote:
BrUz wrote:
+ Google Chrome is unstable on all devices running 5.2.4.

You are likely running into this Google Chrome issue that causes certificate exemptions to be reset:-

https://code.google.com/p/chromium/issues/detail?id=513903
https://code.google.com/p/chromium/issues/detail?id=473390

It is not a FortiOS bug. Using a trusted certificate would solve the problem.

It happens only in 5.2.4. That does not happen in any of < -5.2.3 .. I login without problems, and after 1-2min I have to log in again.

Zulhardy

New Member

Another thing I'd like to add.

When I upgraded to 5.2.4, I noticed that about 20 WIFI clients were logged onto a single FortiAP 221B. I have five of them around the office where I work at and usually the clients are dispersed among the APs. After downgrading as per TAC advice (for another issue I posted above), the APs then started load balancing them and the usual client dispersal pattern was seen once again.

I think so far 5.2.3 is the most stable for me 100D and my FortiAP 221Bs.

GusTech

New Member

Zulhardy wrote:
Another thing I'd like to add.

When I upgraded to 5.2.4, I noticed that about 20 WIFI clients were logged onto a single FortiAP 221B. I have five of them around the office where I work at and usually the clients are dispersed among the APs. After downgrading as per TAC advice (for another issue I posted above), the APs then started load balancing them and the usual client dispersal pattern was seen once again.

I think so far 5.2.3 is the most stable for me 100D and my FortiAP 221Bs.

I have similar problems. FAP21B take all users and working fine.. But, no users are able to connect through local radio in fwf90d.

seadave

New Member

BrUz wrote:

I think so far 5.2.3 is the most stable for my 100D and my FortiAP 221Bs.

I agree. We went from running 5.2.3 on a 100D to running it on a 500D and it is running without any issues that we have been able to detect. I would say that when I migrated the config, I did it in blocks, by copying and pasting sections of the config file and uploading them via the script import option. I had to prune/clean the sections with interface name changes using notepad++ but all in all it was a fairly smooth process.

garyxd

New Member

Made the huge mistake of upgrading a few customers from 5.2.3 to 5.2.4 last night. Please do not install this firmware...

As some others have hinted, when more than one external interface is used in a load-balanced or virtual-wan-link configuration, external management and SSL VPN traffic stops working. In one case, it is always asymmetric. In one external interface, out the other. No idea. Fortinet confirmed the bug. We've also seen lightly used units entering conserve mode. The ones I upgraded included 100Ds, 300Ds, and 500Ds.

I'm not sure why this firmware is still available for download. Lost some major points with customers today

Diabolicus23

New Member

I couldn't agree more...

emnoc

New Member

BTW a FGT90D we pushed upgrades earlier, now started having L2TP/ipsec issues, and xauth failures. Users where failing but the same users credentials ( local ) copied onto a FGT100D running 5.2.3 had no issues. I think it has todo with the password type, but still investigating. We found out deleting the user password and copy the text exactly back in, allows for the user to authenticate. Anybody seem issues with config user local and accounts?

I would open a ticket with support but don't have the time and have like 2 other TAC cases for items related to 5.0.10 pending.

SecurityPlus

Explorer III

If Fortinet discovers an error in a release (i.e. 5.2.4) will they patch the 5.2.4 release or do they wait till the next release (i.e. 5.2.5) to apply the patch?

Are some finding the 5.2.4 release to be problem free or are the problems more widespread?

Thanks!

Zulhardy

New Member

There are quite a number of bugs in 5.2.4. Do not use it. Use 5.2.3 instead.

SecurityPlus wrote:
If Fortinet discovers an error in a release (i.e. 5.2.4) will they patch the 5.2.4 release or do they wait till the next release (i.e. 5.2.5) to apply the patch? Are some finding the 5.2.4 release to be problem free or are the problems more widespread? Thanks!

emnoc

New Member

Maybe only a few dozen people have been brave enough to try it?

or foolish enough

Typically I wait at least 2 months b4 loading my gear on the wagon, that way you let others cross the water b4 you . This way if they have problems & drown, you can stay on the banks and be safe.

Never run the latetest in a production env until you had time to evaluate and demo the code.

simonpt

New Member

emnoc wrote:
or foolish enough

Typically I wait at least 2 months b4 loading my gear on the wagon, that way you let others cross the water b4 you . This way if they have problems & drown, you can stay on the banks and be safe.

Never run the latetest in a production env until you had time to evaluate and demo the code.

I agree. But then you'll still be evaluating v5.2.5 when your v5.0 production boxes go out of support in November.

Fortinet's aggressive software product life cycle policy, combined with their lack of decent QA on new releases, has more negative impact on their loyal customer base than I think they realise.

kwilley

New Member

simonpt wrote:
Fortinet's aggressive software product life cycle policy, combined with their lack of decent QA on new releases, has more negative impact on their loyal customer base than I think they realise.

+1

ISOffice

New Member

We also have upgraded to v5.2.4 (build 688) on our FG 100D cluster. Whilst not having experienced any major faults with it (other than the slightly annoying failure to display the right pane on occasion), the amount of posts here complaining about it does give me cause for concern and I'm thinking of rolling back to v5.2.3 (build 670).

Therefore I'm asking if the following is an acceptable way to downgrade to a previous version.

In the System Information widget, under Firmware Version, select Update.

Under Available Firmware, All Available, I can see several previous versions of FortiOS (image attached). I have the option to choose any of these versions, select Confirm Version Downgrade and click on Backup Config and Downgrade.

Is this a viable (and indeed advisable) way to go about downgrading our appliances? Apparently it may "result in the loss of some configuration". Can anyone be specific about what this may be?

Many thanks,

John P

Firmware_Versions.JPG

Paul_S

New Member

ISOffice wrote:
We also have upgraded to v5.2.4 (build 688) on our FG 100D cluster. Whilst not having experienced any major faults with it (other than the slightly annoying failure to display the right pane on occasion), the amount of posts here complaining about it does give me cause for concern and I'm thinking of rolling back to v5.2.3 (build 670).
Therefore I'm asking if the following is an acceptable way to downgrade to a previous version.
In the System Information widget, under Firmware Version, select Update.
Under Available Firmware, All Available, I can see several previous versions of FortiOS (image attached). I have the option to choose any of these versions, select Confirm Version Downgrade and click on Backup Config and Downgrade.
Is this a viable (and indeed advisable) way to go about downgrading our appliances? Apparently it may "result in the loss of some configuration". Can anyone be specific about what this may be?
Many thanks,

John P

I would be on 5.2.4 if I thought it was stable. 5.2.3 has major bugs that affect me. If you got to 5.2.4 without major issues, I would consider staying on 5.2.4 either permanently or at least for a while. If everyone avoids 5.2.4 and does just submit support tickets, then 5.2.5 might not get much better than 5.2.4.

regarding downgrades, the process is fairly predictable. backup config, upload firmware, restore config. If you have a pre-upgrade config made on the older firmware version and you have not made many changes, then you can use that previous backup. If you read the downgrade section of most release notes it will mention how most of your config will be lost after a downgrade. don't freak out. This is normal. It will still keep enough config for the device to be reachable for admin login so that you can do the config restore.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded